1

I have my hosting in a shared hosting (I don't think that's relevant). I want to perform some actions inside a php script, and those actions include reading from a file. I would like that file not to be accesible by anyone, only by the php script (otherwise anyone would be able to get that file without permission just by accessing the link). How can I do that?

  • Set a file as private / non accessible through its URL
  • Setup a php script that can actually read this file

Thanks.

ADyson
  • 57,178
  • 14
  • 51
  • 63
Daniel Roca
  • 35
  • 1
  • 5
  • 2
    Put it outside of the web root (usually called something like `wwwdocs`, `public`, or `html`) and call it via the command line... or implement something like a password form or API key. – ceejayoz Dec 15 '21 at 14:27
  • let's say that file is just a photo, not much I can configure there. I would like to upload that "photo" and not allow anyone to view it, but still be able to read it from the php script – Daniel Roca Dec 15 '21 at 14:28
  • 1
    The outside-the-web-root works for that, too. You can use `file_get_contents`, `readfile`,`fopen` etc. to access its contents in your script. – ceejayoz Dec 15 '21 at 14:29
  • If you are talking about a photo, then save the photo into a database table as BLOB data, then the php to retrieve the BLOB data and render it as the graphic (jpeg or png) . see this [SO_link](https://stackoverflow.com/questions/7793009/how-to-retrieve-images-from-mysql-database-and-display-in-an-html-tag) for details . In this way, other users will NOT be able to read it from a URL, but can get it from your PHP (which of course you will impose some sort of control) – Ken Lee Dec 15 '21 at 14:35
  • 1
    Don't put images in your database. It will generate much touble later for you. It's not worth it. https://stackoverflow.com/a/3751 – ALZlper Dec 15 '21 at 15:09
  • "How can I do that" - by writing some code? What have you tried so far? Where are you stuck? – Nico Haase Dec 15 '21 at 15:10
  • if I put it outside of the root folder, how do I access the path? ../anotherPath? (I mean, adding the two dots?) @ceejayoz – Daniel Roca Dec 23 '21 at 00:01
  • You cannot access anything outside the document root, and that is a good security mechanism – Nico Haase Dec 23 '21 at 07:32

2 Answers2

0

You can easily forbid access to a folder by adding a .htaccess with this code :

deny from all

Then you can still access it through PHP with fopen() or file_get_contents()

E-telier
  • 766
  • 5
  • 15
0

Method: .htaccess file

As mentioned in https://stackoverflow.com/a/70365577/7335057, you could use a .htaccess file, as long as you are using an apache or compatible webserver.

Method: Unique URLs

It is also perfectly reasonable to have long random links. https://example.com/usercontent/326a98f7a6c61fb3e37c310c414ca23b16948b4a/test.jpg

You need to make sure the links are not able to be found using brute force as well as only link to files the current user is allowed to see.

The 326a98f7a6c61fb3e37c310c414ca23b16948b4a part of the URL has to be unique for every user. it can not be the userId hashed or something like that.

Here is an example of how to generate a highly unique but random string for your URL:

$partLength = 10;
$fix = "your-app-node-1";
$time = microtime(true);
$random = random_int(1000000, 9999999);
    
$urlPart = substr(sha1($fix), -$partLength)."-";
$urlPart .= substr(sha1($time), -$partLength)."-";
$urlPart .= substr(sha1($random), -$partLength);

The fix part is mainly for when you use multiple servers, so ids don't colide.

Method: Files outside the root folder

Not all hosters of shared webspaces allow that, but if yours does, put the files in a folder above the root directory to make them not accessible through a web request. Be aware of path traversal attacks though.

Files outside the root dir are usually still accessible using PHP.

ALZlper
  • 61
  • 1
  • 9
  • 1
    I don't understand, if I create that id the file won't be there, or do you mean I have to duplicate the file and put it into that directory? looks like it would create endless junk – Daniel Roca Dec 15 '21 at 15:12
  • You could move, not copy, them. Maybe you have seen the Discord links before: discordapp.net/attachments/676730...4856/unknown.png The links are public, but you could never guess them. – ALZlper Dec 15 '21 at 15:15